CVE-2020-7351

Name of the Vulnerable Software and Affected Versions Fonality Trixbox Community Edition versions 1.2.0 through 2.8.0.4

Description An OS Command Injection issue in the endpoint devicemap.php component allows an attacker to execute commands on the underlying operating system as the "asterisk" user. Note that Trixbox Community Edition has been unsupported by the vendor since 2012.

Recommendations For versions 1.2.0 through 2.8.0.4, consider disabling access to the endpoint devicemap.php component until a fix is available. Restricting the privileges of the "asterisk" user may also help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.